<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
h1
{mso-style-link:"Heading 1 Char";
margin-top:0in;
margin-right:0in;
margin-bottom:11.0pt;
margin-left:.75in;
text-indent:-.75in;
page-break-after:avoid;
mso-list:l1 level1 lfo1;
font-size:16.0pt;
font-family:"Cambria",serif;
mso-fareast-language:EN-US;}
h2
{mso-style-link:"Heading 2 Char";
margin-top:0in;
margin-right:0in;
margin-bottom:11.0pt;
margin-left:1.0in;
text-indent:-1.0in;
page-break-after:avoid;
mso-list:l1 level2 lfo1;
font-size:12.0pt;
font-family:"Cambria",serif;
mso-fareast-language:EN-US;
font-style:italic;}
h3
{mso-style-link:"Heading 3 Char";
margin-top:0in;
margin-right:0in;
margin-bottom:11.0pt;
margin-left:.75in;
text-indent:-.25in;
page-break-after:avoid;
mso-list:l1 level3 lfo1;
font-size:11.0pt;
font-family:"Cambria",serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.Heading2Char
{mso-style-name:"Heading 2 Char";
mso-style-link:"Heading 2";
font-family:"Cambria",serif;
mso-fareast-language:EN-US;
font-weight:bold;
font-style:italic;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:278296876;
mso-list-template-ids:-945136056;}
@list l0:level1
{mso-level-start-at:17;
mso-level-text:%1;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:22.8pt;
text-indent:-22.8pt;}
@list l0:level2
{mso-level-text:"%1\.%2";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:22.8pt;
text-indent:-22.8pt;}
@list l0:level3
{mso-level-text:"%1\.%2\.%3";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.5in;
text-indent:-.5in;}
@list l0:level4
{mso-level-text:"%1\.%2\.%3\.%4";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.75in;}
@list l0:level5
{mso-level-text:"%1\.%2\.%3\.%4\.%5";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.75in;}
@list l0:level6
{mso-level-text:"%1\.%2\.%3\.%4\.%5\.%6";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-1.0in;}
@list l0:level7
{mso-level-text:"%1\.%2\.%3\.%4\.%5\.%6\.%7";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-1.0in;}
@list l0:level8
{mso-level-text:"%1\.%2\.%3\.%4\.%5\.%6\.%7\.%8";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:-1.25in;}
@list l0:level9
{mso-level-text:"%1\.%2\.%3\.%4\.%5\.%6\.%7\.%8\.%9";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:-1.25in;}
@list l1
{mso-list-id:1168407073;
mso-list-template-ids:-1546361960;}
@list l1:level1
{mso-level-style-link:"Heading 1";
mso-level-tab-stop:.75in;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.5in;}
@list l1:level2
{mso-level-style-link:"Heading 2";
mso-level-legal-format:yes;
mso-level-text:"%1\.%2";
mso-level-tab-stop:.75in;
mso-level-number-position:left;
text-indent:-.75in;}
@list l1:level3
{mso-level-style-link:"Heading 3";
mso-level-legal-format:yes;
mso-level-text:"%1\.%2\.%3";
mso-level-tab-stop:1.25in;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.25in;}
@list l1:level4
{mso-level-legal-format:yes;
mso-level-text:"%1\.%2\.%3\.%4";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.5in;}
@list l1:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-.75in;}
@list l1:level6
{mso-level-legal-format:yes;
mso-level-text:"%1\.%2\.%3\.%4\.%5\.%6";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-.75in;}
@list l1:level7
{mso-level-legal-format:yes;
mso-level-text:"%1\.%2\.%3\.%4\.%5\.%6\.%7";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:-1.0in;}
@list l1:level8
{mso-level-legal-format:yes;
mso-level-text:"%1\.%2\.%3\.%4\.%5\.%6\.%7\.%8";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:-1.0in;}
@list l1:level9
{mso-level-legal-format:yes;
mso-level-text:"%1\.%2\.%3\.%4\.%5\.%6\.%7\.%8\.%9";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.5in;
text-indent:-1.25in;}
@list l2
{mso-list-id:1184250754;
mso-list-template-ids:1594529998;}
@list l2:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Hi Ben,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">WebTrust has created an audit scheme which covers both non-EV and EV Code Signing certificates. The CSCWG has not referenced the audit scheme in the CSBRs. Here is a draft of text, which would all EVCS 1.4.1 for audit periods starting before
1 November 2020, but require CSBR 2.0 for audit periods starting on or after 1 November 2020.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We would still need to discuss this with the CSCWG, but I have not heard of any negative feedback based on the position that WebTrust took when it generated the new audit criteria.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<h2 style="margin-left:22.8pt;text-indent:-22.8pt;mso-list:l0 level2 lfo3"><a name="_Toc402526161"></a><a name="_Toc17488559"></a><a name="_Toc63253260"><span style="mso-bookmark:_Toc17488559"><span style="mso-bookmark:_Toc402526161"><![if !supportLists]><span style="mso-list:Ignore">17.1<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]> Eligible Audit Schemes</span></span></a><o:p></o:p></h2>
<p class="MsoNormal">The CA MUST undergo a conformity assessment audit for compliance with these Requirements performed in accordance with one of the following schemes:
<o:p></o:p></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoNormal" style="margin-bottom:11.0pt;mso-list:l2 level1 lfo2"><span style="background:yellow;mso-highlight:yellow">For Audit Periods staring before 1 November 2020,</span> “WebTrust for CAs v2.0 or newer” AND “WebTrust for Certification Authorities
– Publicly Trusted Code Signing Certificates v1.0.1 or newer”; or <o:p></o:p></li><li class="MsoNormal" style="margin-bottom:11.0pt;mso-list:l2 level1 lfo2"><span style="background:yellow;mso-highlight:yellow">For Audit Periods staring before 1 November 2020,</span> “WebTrust for CAs v2.0 or newer” AND “WebTrust for Certification Authorities
– Extended Validation Code Signing v1.4.1 or newer”; or <o:p></o:p></li><li class="MsoNormal" style="margin-bottom:11.0pt;mso-list:l2 level1 lfo2"><span style="background:yellow;mso-highlight:yellow">For Audit Periods staring on or after 1 November 2020, “WebTrust for CAs v2.0 or newer” AND “WebTrust for Certification Authorities
– Code Signing Baseline Requirements v2.0 or newer”; or <o:p></o:p></span></li><li class="MsoNormal" style="margin-bottom:11.0pt;mso-list:l2 level1 lfo2">ETSI EN 319 411-1, which includes normative references to ETSI EN 319 401 (the latest version of the referenced ETSI documents should be applied); or<o:p></o:p></li><li class="MsoNormal" style="margin-bottom:11.0pt;mso-list:l2 level1 lfo2">If a Government CA is required by its Certificate Policy to use a different internal audit scheme, it MAY use such scheme provided that the audit either (a) encompasses all requirements
of one of the above schemes or (b) consists of comparable criteria that are available for public review.<o:p></o:p></li></ol>
<p class="MsoNormal">I will add to the CSCWG agenda for tomorrow’s meeting.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks, Bruce.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Ben Wilson <bwilson@mozilla.com> <br>
<b>Sent:</b> Tuesday, July 13, 2021 4:01 PM<br>
<b>To:</b> Bruce Morton <Bruce.Morton@entrust.com><br>
<b>Cc:</b> cscwg-public@cabforum.org<br>
<b>Subject:</b> Re: [EXTERNAL] [Cscwg-public] WebTrust - EV Code Signing v.1.4.1 and ALV in the CCADB<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">It seems that additional work is needed to replace the EV Guidelines for Code Signing. For instance, section 17.1 of the Baseline Requirements for Code Signing says that the eligible audit scheme (for Baseline) can be “WebTrust for CAs
v2.0 or newer” AND “WebTrust for Certification Authorities – Extended Validation Code Signing v1.4.1 or newer”, but it doesn't seem to be the other way around (that the BRCS is sufficient for EVCS). Does this working group have plans to replace the EV Guidelines
for Code Signing with a unified guideline document?<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Tue, Jul 13, 2021 at 12:20 PM Bruce Morton <<a href="mailto:Bruce.Morton@entrust.com">Bruce.Morton@entrust.com</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Hi Ben,<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Based on how I interpret the requirements for the new CSBR v2.0 audit criteria, it should be used for all audit periods starting on or after 1 November 2020. So that would mean
that EVCS 1.4.1 could be used for periods starting before 1 November 2020. With a 3 month posting deadline, you could see EVCS 1.4.1 audit reports posted until 31 January 2022 (or later for late reports).<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">For example, if an audit period started on 1 October 2020 and ended on 30 September 2021, then the CA could use EVCS 1.4.1 and must post the report by 31 December 2021.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Bruce.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div style="border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0in 0in 0in;border-color:currentcolor currentcolor">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b>From:</b> Cscwg-public <<a href="mailto:cscwg-public-bounces@cabforum.org" target="_blank">cscwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Ben Wilson via Cscwg-public<br>
<b>Sent:</b> Tuesday, July 13, 2021 1:55 PM<br>
<b>To:</b> <a href="mailto:cscwg-public@cabforum.org" target="_blank">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [EXTERNAL] [Cscwg-public] WebTrust - EV Code Signing v.1.4.1 and ALV in the CCADB<o:p></o:p></p>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">WARNING: This email originated outside of Entrust.<br>
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.<o:p></o:p></p>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="100%" align="center">
</div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">All,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">In reference to the Webtrust Principles and Criteria and the CCADB's ALV processing of audit letters, see<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><a href="https://urldefense.com/v3/__https:/www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/principles-and-criteria__;!!FJ-Y8qCqXTj2!Of1UlBnrsakPt5Col1B5EeWGfnEFVf6SGVSJAehLcnY117n7naUu9KBRjfK7BVUX7yk$" target="_blank">https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/principles-and-criteria</a>,
which mentions <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">WebTrust for EV CS v. 1.4.1. At what point will a requirement for v. 1.4.1 go away, if it will? The reason I ask is that the CCADB gave me an ALV error recently when it processed
an EV CS audit letter because it did not specifically mention WebTrust EV CS v. 1.4.1.
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Thoughts?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Ben<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</body>
</html>